At the ABA Business Law Section’s annual meeting in Spring 2020, which went virtual for the first time due to the pandemic, the Section’s Gaming Law Committee took up the issue of sports betting and data security as a key emerging area that intersects with numerous other areas of law practice, including contracts, commercial transactions, securities regulation, business entity issues, tribal-state compacting, and intellectual property. Along with the authors of this article, Dennis Ehling (Partner with Blank Rome in Los Angeles), Raymond Luk, Jr. (Corporate Counsel for BorgWarner Inc., in Auburn Hills, Michigan), and Peter McLaughlin (Partner with Culhane Meadows in Boston) comprised the panel, which was co-sponsored by the Business Law Section’s Intellectual Property and Sports Law Committees.
A rapidly evolving subfield in gaming law concerns cybersecurity, data protection, and privacy rights. The swift expansion of legalized sports betting, as well as igaming, mobile gaming, daily fantasy sports (DFS), and competitive videogaming (esports), have created both opportunities and challenges for the business lawyer. Online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise issues related to intellectual property, data collection and reporting, data ownership, protection, and privacy, and ensuring data security. A business lawyer advising clients in these areas, or working directly in these industries, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts. Such matters also increasingly intersect with the dynamic area of digital currencies and cryptocurrencies, blockchain technologies and transactions, and compliance within and across jurisdictions, whether domestic or international.
Data security has always been a key issue for the gaming industry. Traditionally a “cash business,” the current $260 billion U.S. gaming industry runs primarily on transactions, often large ones. Like finance and banking institutions, casinos must be diligent in guarding against cybersecurity threats, especially as mobile and online transactions become the norm. The gaming industry also relies on computer systems for operating gaming devices, gaming floor security, and gathering and storing player data, among other functions, all of which can be targets for hackers and cheats. With the recent spread of legalized sports betting, data security is more important than ever.
Casinos and Cybersecurity
Like other industries that retain extensive customer data, the gaming industry is particularly vulnerable to cyber threats. The 2014 hacking of the Las Vegas Sands Corporation (LVS), which owns the Venetian and Palazzo casino resorts in Las Vegas as well as several casino resorts in Asia, provides a cautionary tale. As confirmed by the U.S. Director of National Intelligence, the cyber-attack was carried out by Iranian “hacktivists” in retaliation for LVS CEO Sheldon Adelson’s support of a U.S. military strike against Iran. Malware shut down company email and phone lines, and wiped out employee hard drives. Hackers stole customer credit card data, Social Security numbers, and driver’s license information. The company’s casino websites were taken over and defaced, prompting a one-week shutdown before the sites were restored. The cyber-attack impacted the majority of the company’s Las Vegas servers; the cost of recovering data and building new systems reportedly was in excess of $40 million.
The gaming industry has its own particular vulnerabilities as well. Several years ago, a Russian hacker devised a system to decipher the random number generator programs in slot machines. He then organized teams to visit casinos and identify vulnerable slot machines, before using a smartphone app to trigger a jackpot on the machine. Reportedly, the teams took in $250,000 a week from casinos around the world. In 2014, four team members pled guilty to federal fraud charges stemming from using the slot machine cheat in casinos in California, Illinois, and Missouri. The hacker also leveraged the success of the teams to attempt to extort the slot machine manufacturer. Though the extortion attempt was unsuccessful, the hacker bragged to magazine that he continues to earn millions through the scheme.
Since the U.S. Supreme Court’s 2018 decision striking down the federal Professional and Amateur Sports Protection Act in Murphy v. NCAA, 584 U.S. ___, some 24 states plus the District of Columbia have legalized sports betting, with as many as a dozen more expected to take up sports wagering legislation in 2021. Commentators predict that as many as 45 states may have legal sports betting within five years. A growing number of states, including Indiana, Iowa, Nevada, New Jersey, Pennsylvania, Rhode Island, and West Virginia, have also legalized online and mobile sports betting.
Legal wagers on Super Bowl LIV in 2020 exceeded $270 million (though legal wagers continue to be eclipsed by the illegal market; the estimated total wagers for the Super Bowl were over $6 billion, placed by some 26 million bettors). Industry experts estimated that five million people placed their bets—both legal and illegal—via online or mobile platforms.
Next on the calendar, of course, was March Madness—the NCAA men’s basketball tournament. The American Gaming Association had predicted over $10 billion in wagers ($295 million made legally) by over 50 million Americans and some 100 million people around the world. The tournament was cancelled due to the pandemic—as were all collegiate and major-league professional sports throughout the U.S., as well as globally, throughout the summer and into the fall. This only raised the stakes. Industry commentators predict that latent and pent-up demand for sports and sports gambling opportunities will generate wagers of similar or even larger amounts for Super Bowl LV in Tampa Bay, as well for as the recently announced “bubble edition” of March Madness taking place in Indiana in spring 2021.
As more states enter the legalized sports betting market, many of them have minimal regulatory experience as compared to Nevada, where sports betting has been legal and highly regulated for decades. Even fewer states have experience with regard to online and mobile betting, as federal law has permitted states to legalize online gaming only for the last decade or so.
Sports Betting and Data Security
Cybersecurity experts warn about the risks posed by the lure of the anticipated handle, both legal and illegal, around sports betting. While money laundering and theft are concerns, so are data breaches of customer information, which in the long run may be even more valuable—and more damaging—to patron and operator alike. The customer data collected by casinos often is extensive. Bettors may be required to provide date of birth, Social Security number, physical and email addresses, and other personal identifying information. They may also be required to create accounts with financial and banking information, along with passwords and security questions. Customer habits and preferences may be tracked through players club cards and apps. For online and mobile betting, age (sometimes via date of birth) and location data is also collected.
But sports betting also has other valuable data: sports data.
Sports books offer wagers not just on the outcome of the game (win or moneyline), but on the score (over/under, point spread) and special events (proposition bets, such as whether the game will go into overtime or whether a particular player will score a touchdown). In-play or live betting allows bettors to place wagers after an event has started and up to the time of its conclusion. The odds on all of these bets are driven by sports data on all features of the players, teams, contests, and leagues. The security of sports data is critical to the integrity of legalized sports betting. As sports betting has one of the slimmest margins of any casino games, the security of sports data also is critical to the financial risk inherent in a casino’s sports book.
Sports data also is an intellectual property asset. Leagues and teams have claimed ownership of sports data, with the business plan of selling their official data to data analytics companies and oddsmakers, or charging integrity or data rights fees to the gaming industry. For example, in 2018, MGM Resorts entered into a 3-year deal with the NBA to receive league-verified data for some $25 million, followed by similar deals between MGM and the NHL and MLB. But there are unsettled questions regarding ownership, copyright, and fair use. Broadcasts of sporting events may be copyrightable, but the live game likely is not. Prior cases, including NBA v. Motorola, Inc., 105 F.3d 841 (2d Cir. 1997) (broadcasts, not games, are copyrighted; facts derived from broadcasts are not copyrighted; a sports broadcast is not “hot news”), Morris Communications Co. v. PGA Tour, 364 F.3d 1288 (11th Cir. 2004) (a sports league may charge a fee for access to proprietary data without violating antitrust laws), C.B.C Distribution & Marketing, Inc. v. MLB Advanced Media, 505 F.3d 818 (8th Cir. 2007) (a fantasy sports operator’s use of baseball statistics in the public domain is protected by the First Amendment), and Daniels v. FanDuel, Inc., 909 F.3d 876 (7th Cir. 2018) (college athletes’ names, likenesses, and statistical data are “newsworthy” and may be used without an athlete’s permission), provide clear answers to issues that are increasingly significant, or even novel, in the post-Murphy legal environment as the legal sports betting industry—and its demands for data—expand.
Similar considerations and questions with regard to data security and intellectual property apply to DFS and esports.
Applicable Data Security Laws
While data protection, data privacy, and data-breach notification are recognized as critical dimensions of cybersecurity law, regulation, and policy, these issues have yet to be addressed in any comprehensive legislation in the U.S Not so elsewhere. The European Union’s comprehensive General Data Protection Regulation (GDPR) took effect in 2018. The GDPR regulates the processing of personal data within its territoriality requirements. Processing of personal data includes collection, use, storage, organization, disclosure, or any other operation performed on personal data. Personal data is defined as any information relating to an identified or identifiable person, including names, identification numbers, location data, IP addresses, etc. The GDPR’s territoriality requirements bring within its scope any organization with an “establishment” in the EU that processes personal data as part of that establishments’ activities.
As for the U.S., there is not yet a single, comprehensive federal data protection law. There are several federal laws that address data security in specific areas, including:
- Children’s Online Privacy Protection Act (COPPA)
- Computer Fraud and Abuse Act (CFAA)
- Consumer Financial Protection Act (CFPA)
- Electronic Communications Privacy Act (ECPA)
- Family Educational Rights and Privacy Act (FERPA)
- Federal Trade Commission Act (FTC Act)
- Health Insurance Portability and Accountability Act (HIPAA)
- Fair Credit Reporting Act (FCRA)
These laws, however, speak to highly diverse forms of data and expectations of privacy, with divergent requirements for relevant industry actors.
States, however, have moved more rapidly to address privacy, cybersecurity, and data breaches, passing or at least considering hundreds of bills across all 50 states, territories, and the District of Columbia, many of which focus heavily on consumer protection. At least 25 states have laws addressing data security practices in the private sector, more than half of them passed in the last five years. Most states also now have data disposal laws, governing how companies destroy or render indecipherable the personal information obtained from customers and employees. The California Consumer Privacy Act (CCPA) is notable for its comprehensive approach, as it applies to most for-profit companies that do business in the state, and regulates all “personal information,” encompassing nearly any and all information that a business might collect from a customer.
The rapid expansion of legalized sports betting, as well as the emergent areas of DFS and esports, have created both opportunities and challenges for the business lawyer. In particular, online and mobile platforms for sports betting and DFS, as well as team trademarks and design of esports games, raise rapidly mounting issues and dynamic questions related to intellectual property and data protection, privacy, and security.
A business lawyer advising clients in these areas, or working directly in the gaming industry or with public officials who either have or claim a stake in the success of gaming regulation, needs to know how data protection compliance and intellectual property interests operate in these rapidly developing contexts as they merge with gaming law in retail casino operations and online or mobile wagering alike.
Fortunately, the ABA’s Business Law Section, including its Gaming Law, Intellectual Property, and Sports Law Committees, will continue to spotlight these issues as they arise and evolve.